Home Affairs CommitteeWritten evidence submitted by the Communications Crime Strategy Group [EC 09]
1. The Communications Crime Strategy Group currently draws its membership from the following telecommunication companies:
British Telecom.
Hutchinson 3G.
Vodafone.
EverythingEverywhere (Orange and T Mobile brands).
Carphone Warehouse.
Phones 4U.
Cable Wireless Worldwide.
B Sky B.
Verizon Business.
O2 Telefonica.
Virgin Media.
The Group objective is to set the strategic crime agenda for the industry member’s it represents and part of this strategy is to identify risks associated with e-crime.
What e-Crime is understood to be and how this affects crime recording
2. For the purpose of this submission e-crime is defined as crime that is committed by use of electronic means and incorporates the term cyber crime, those crimes which can only be committed through the use of cyber techniques, and cyber enabled crimes, those crimes which are escalated or assisted by the online electronic environment.
3. The telecommunication industry and its customers find major challenges in both the reporting and recording of crimes, to law enforcement, that fall under the e-crime umbrella. There is little, if any, knowledge at the front end of policing as to how such criminality should be addressed and recorded and invariably, because the perpetrators reside outside local police boundaries; all too often the response of front desk officers at police stations is to push the problem elsewhere under the guise that the “crime” needs to be reported where the crime took place. This approach often causes such crimes to go unreported.
4. 2011–12 has seen the expansion of “Action Fraud” as a web site/call centre to which most types of fraud can be reported and whilst this is to be commended it still has some way to go to be a one stop shop for the reporting and recording of all types of e-crime related fraud. There is also recent evidence that some Police stations are now using this central reporting/recording process as a means of yet again passing victims of e-crime on and therefore not recording and/or investigating criminality that falls within this area.
It is our view that a clear distinction needs to be made between the recording for, statistical and intelligence purposes, for which Action Fraud was established and the role of police to investigate such criminality.
The extent and nature of the threats on which e-Crime policy is based and how well they are understood by policy makers
5. The widespread expansion of the internet, along with the extensive uptake of new technologies, including smart devices such as mobile phones, has extended the reach of e-criminality beyond those technically capable criminals to a much wider audience due to the easy availability of tools and scripts that enable amateurs to proliferate crimes that previously were only available to the more technically capable.
The explosion of forums and other peer to peer areas where tools are available to download has seen the establishment of a culture and marketplace which is lacking in the normal oversight by authorities and law enforcement leading to an almost total lack of policing/regulation of what is in fact a public place.
This has left policy makers un-prepared and unable to have any real influence on how such places are operated/policed due to the nature and cross jurisdictional aspects that transcend national and international boundaries.
The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change
6. For all but the most serious crimes, terrorism and child exploitation, the effectiveness of law enforcement, both at the local and regional levels, to tackle every day e-criminality is to say the lease patchy and in most cases non existent.
E-crime, by its very nature, transcends regional and national boundaries whilst often manifesting itself through local victims who are often left without any support at local level.
Where specialised e-crime units do exist they are often overstretched to the point that only the most pressing of cases can be properly investigated or pursued.
Legislation is often a barrier to such investigation due to its inadequacy to keep abreast of threats as well as lack of detailed understanding by both investigating officers and crown prosecutors of how the legislation can or should be applied.
Levels of proof are often set so high as to prevent any possibility of a successful prosecution of offenders, leaving law enforcement officers having to revert to lesser charges for more serious offences.
7. Whilst the impact of organisational changes can only be implied, based on the experience of changes to date, in day to day policing, there appears to be every likelihood that the services and resources necessary to keep abreast of the ever increasing threat from e-crime will be even more overstretched or non existent at all but the most senior regional or national level.
Whether there are any gaps in the response to e-crime and, if so, how they should be addressed
8. Response to e-crime needs to have cohesion at local, regional, national and international level. Currently the way e-crime is handled is often down to a “local” enthusiastic officers and the overall approach to e-crime lacks structure and any real strategic direction. Major forces such as the Metropolitan Police Service have high levels of expertise in tackling e-crime however this expertise is often centered on specialist units and is very quickly dissipated at regional and local levels of policing.
There is an obvious need to have some form of top down approach until such time the necessary levels of knowledge and expertise can be established at local levels.
9. The two areas that require better cohesion and consistency are that of reporting and investigating. In terms of reporting there needs to be clear direction at local police level as to how e-crime is reported and recorded and this needs to be in conjunction with the ability to extract local reporting/recording to a national level so as to enable an overall national picture to be better formed.
10. Investigation of e-crime requires specialist skills sets that are scarce at local level as are the necessary resources. Therefore there needs to be regional centres of expertise and resource that can act on behalf of local policing in this area with the ability if necessary to call on national resources when these are required. Whilst the victims of such crimes are often at the local level the perpetrators very rarely are.
Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use
11. By their very nature the methods used by criminals to commit e-crime can change rapidly and new threats materialise with very little or no warning. Add to this mix the explosive take up, by the public and business, of modern communication devices giving a myriad of ways to access the internet and in so doing potentially increasing the risk of becoming victims of the e-criminal.
12. The importance of personal data and its role in the commission of e-crime is only just becoming recognised by the public and businesses, especially as it relates to access via a mobile device and it is imperative that this education process of the community continues.
13. The Government have a major role to play in ensuring that the right security messages, for the use of these devices and social network sites, are communicated to as wide a demographic as possible. This activity is a trinity of efforts between Government, Business and the Public and no one community can act on its own but there is a clear leadership role to be played by Government.
14. The Government, as advised by the expert agencies, needs to balance public awareness against letting criminals become aware of methodology and techniques that will enable the criminal to circumvent security or use systems in a way not intended. Greater exposure of sources of information for the user such as Get Safe On Line (www.getsafeonline.org) and Action Fraud (www.actionfraud.police.uk) and educational messages such as “The Devils In Your Details” (www.thedevilsinyourdetails.com) need to be built upon and constantly refreshed and targeted toward at risk groups.
15. Business has a role to ensure that customers are made aware of their responsibility in respect operation of devices and how best they can protect themselves. Whilst the public requirement is to have transparency in the security of the devices they operate this is not always practical or advisable and the public must be made aware of how they can and must assist in the war against this type of criminality. There are also major challenges when the business that are marketing devices, systems and applications are international in nature and have operations based outside UK jurisdiction.
16. ISPs and service providers are increasingly—and rightly—expected to do more to support their users to have safe online experiences and where reasonable remove criminal content from the services. However for e crime to be tackled effectively there needs to be more effective mechanisms for members of the public to report interactions or content that they believe is criminal. Some mechanisms exist, for example in relation to images of child sexual abuse, or grooming, but it is not clear how a members of the public should report others such as online harassment or racist content. Some police forces have online report forms but these are lengthy and detailed and not applicable as they are written for victims, when often the person reporting has observed behaviour and merely wants to report it for investigation. Police forces urgently need to review their online presence to check and assess whether the existing reporting mechanisms are fit for purpose on the age of social media and always on communications.
17. Finally the public MUST become more engaged to take on their responsibilities in securing what is in fact the front line and soft under-belly of e-criminality. Car security and home security are examples where the public are much more engaged than they are with mobile or static electronic devices and there may be lessons to be learned from such areas.
The effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy
18. Recent campaigns such as “The Devils In Your Details” and “The Rough Guide To Staying Safe On Line” are examples of using modern communication channels to communicate out to the at risk demographics however, like anything in the fast and changing world of communication, messages quickly become stale and therefore less effective in getting the message out to those at risk. The other major challenge is the plethora of sites, some Government endorsed/funded and other put there by “concerned parties” that offer a confusing range of advice, some good, some bad and some downright confusing to the average user.
19. There is a clear need to rationalise from where the authorised messages come from. For example I have referred in paragraph 14 to three sites that have government backing there are also many others such as www.staysafeonline.org/ , www.saferinternet.org.uk/ and many more. This leads to a great deal of confusion in the mind of the public when seeking advice on this subject.
20. Peoples on line behaviour confirms that one size does NOT fit all. This presents many challenges to the trinity partnership when trying to engage on security and personal privacy issues as the late teen early twenties user is totally different in their risk taking than say the “silver surfer” however all are exposed to some degree to the same risk from e-crime.
Public Policy therefore MUST take on board the variance there is in personal behaviours of the on line community and tailor any awareness initiatives to reflect this, not an easy task!
J A Wraith MBE
Secretary
Communication Crime Strategy Group
August 2012